Open source software security

Drupal Print 6.x-1.7 Multiple XSS Vulnerabilities

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Printer, e-mail and PDF versions (hereafter referred to as Print) module (http://drupal.org/project/print) allows for the generation of printer friendly versions of nodes, PDF version of nodes, and the sending of nodes to e-mail recipients. The Print module contains numerous stored cross site scripting (XSS) vulnerabilities:

Description of Vulnerability

The Print module contains a XSS vulnerability because it does not properly sanitize the output of the footers in printer friendly views. This allows users with 'administer print' permissions to inject arbitrary HTML in the footer field that is rendered whenever the printer friendly version of any node is displayed.

The Print module also contains a XSS vulnerability due to the fact that 'Stylesheet URL' input is not properly sanitized when displayed. This allows malicious users the ability to inject external stylesheet locations into the link tag displayed on printer friendly versions of nodes. This vulnerability, combined with Internet Explorer support for "expression" in CSS allows for XSS attacks.

The print module also contains a XSS vulnerability due to the fact that the 'site name' is not properly sanitized when displaying e-mail confirmation in the "Thank you for spreading the word about [site_name]" area. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'Thank You Message:' input.

The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize node titles for display in the breadcrumbs on printer friendly versions of nodes.

The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'font family' setting when displaying PDF versions of nodes.

Systems affected:

Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to be vulnerable to footer XSS injection. Drupal 6.12 with Print 6.x-1.7 and IE 6 was tested and shown to be vulnerable to link XSS njection. Additional testing indicated that the 5.x-4.7 branch of the Print module is also vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

Print must be installed and enabled. Attacker must have 'administer print' permissions in order to carry out the proof of concept exploit detailed below. Site administration permissions are required to carry out the site name injection described in the proof of concept below. Internet Explorer is vulnerable to the malicious style sheet inclusion proof of concept detailed below, other browsers may not be affected depending on their support for the 'expression' statement in cascading style sheets (CSS). Note that the proof of concept provided utilizes known attack vectors, other vectors may exist.